[toggle title=”Enterprise Security – Part 2 of 2″]Learn how big data, machine learning, business intelligence, and holistic security profiling help make enterprise security an affordable reality – and of course, help ward off the zombies.[/toggle]
“I’ll be back.”
~ The Terminator
Part 1 of this series on enterprise security explored 6 IT tools and tactics that safeguard enterprise assets, defined their primary roles on the security team, cautioned about limitations, and noted – most importantly – the various types of data each system collects and uses.
“With so many security threats, both known and unknown, and so much data available to collect, how can an enterprise better use its data to protect itself? What information should be collected – that is not part of a traditional security profile – that could provide a sharper edge against future attacks?”
Traditional security strategies are just not enough to thwart the unseen and prevent the unknown. But there is hope in the data. Just as enterprises have found hidden gold in their data, so too are there new ways to collect and analyze data that will help companies identify which of the holes in the fortress is the most vulnerable today – and which might become most vulnerable tomorrow.
In other words, the zombie apocalypse is coming – so better get ready.
There are lessons to be learned from the bad guys.
In The Terminator series, Skynet, the unseen antagonist and artificial intelligence system
a programmed the machines to teach themselves to perpetually adapt to changing combat environments. The smart machines grew powerful less because of their abilities to destroy and more because they were practically indestructible.
It is not possible to know all the potential threats and attacks. It has not been possible to assess the real potential threats to a company based on its profile in any holistic way. It has traditionally been too much information with too many unknown elements that have not been and may never be correlated due to the size, complexities and obscureness of the correlations. Having a more complete picture of past experienced utilization of vulnerabilities, vulnerabilities discovered along the way has been difficult at best and rely mostly on individual analysis. Significant progress in tactical devices such as IPS, IDS, Endpoint security, and encryption has increased the ability to respond to the fluid set of vulnerabilities in the modern super distributed complex infrastructure. The more security an enterprise wants the more it will spend. The try to achieve high-level security without necessarily a correlation to reality of the effectiveness of the tactics in similar types of businesses and situations. By characterizing, storing and indexing a broad amount of information about the sum total of an enterprise it is now possible to take effectiveness analysis and therefore ROI analysis to the next level.
The future holds new promise. By combining sources of information previously unavailable, not practically usable, and not appropriately characterized techniques and tools from other industries can be applied.
How you can use data to enhance security – affordably?
Think like the enemy
Collect more data
Attack Event and Circumstance Characteristics
How it Protects:
Storing all information – that traditionally has not been captured for post-mortem and predictive analysis – at the time of, during, and after attacks using “Big Data” techniques (store everything for later use) can provide new security insights.To make use of the information it must be characterized for analysis through a taxonomy and Master Data Management (MDM).This information can include: logs at the time of attack; personal activity at the time of attack; transactional activity; all non-IT activity; detailed company profile; detailed employee profiles; current, recent and near future corporate events.
What You Need to Know:
Monitoring sentiment (internal, external, hacker community) can provide very effective predictive analysis. Hackers, such as those who make up “Anonymous,” have a tendency to brag before, during and after an attack using public but less popular social media sites, especially blogs. Honeypots (traps) created to collect and monitor sentiment information have been very successful in luring hackers.
Holy shit – that’s a lot of disparate data! The tools are there
Sentiment tracking – not just about being awesome or sucking. It’s creating the profile of the people who are discussing you – and what seems to drive them to spread the word.
If it requires 12 hackers then you would want to track them to see what 12 of them are saying about you. That’s too simplistic. The real correlations are unobvious – so what do you do? You let the computers find the correlations, try to make use of that knowledge and then measure the effectiveness of that proactivity. That’s machine learning.
What’s different now? From a big data argument – there’s more interconnected data, there are practical (affordable) ways of storing and retrieving it.
There are systems that can semi-autonomously analyze, act, measure effectiveness, learn and start all over again.
Fairly static human element in the data – but you also have to account for dynamic conditions and indicators of future conditions (sentiment – hacker tracking) – the one we cut.
The data is out there. The machine learning capability and drone style autonomy is no longer nascent. Its not futuristic – it’s here.
Compare to others that are not like you
Being able to data profile one biz to another is impossible b/c there’s too much data, it’s never been done, and you have to weed out the differences betw the 2 orgs that are not important – and that don’t apply to each other. <obtuse statement about finding patterns and chaos>
Hospital vs. Retail Chain –
What can be collected?
Social media/hackers – the dynamic conditions on the ground outside your own little fortress. You’ve defined the barbarians, but what are they doing at the moment? What are they thinking, what are they planning, how easy of a target are you, and why category of target do you fit for them. Get into the mind of the enemy (and stay there!) See your organization as they see it. Target prob never thought they would be a target.
You don’t know what your value is as a target. You don’t have a model for what that means to be categorized as a target – so how do you have the vaguest idea of how much to spend. Once you get there, you have to realize that you’re not the only one to get there in the thinking, and how do you learn from what happened to Target.
Say Target didn’t have an online presence. Target was a target b/c of their interconnected. The breach occurred through an outside vendor – so it wasn’t the fact that they were a retail organization, it was that they use a large number of sub-contractors that left them vulnerable – b/c of the attributes of the way they do business.
What are the non-obvious connections you’re looking to find.
Non-direct comparison would be BGE Home? How could they possibly compare to Target?
Have large # of service customers
Use a large # of sub contractors to service the needs of their customers – if
Feed the smart machines
We have the data now to feed them to allow them to work in that semi-autonomous fashion.
Start with interconnected semi-auto agents able to perform complex actions, based on a large scope vat of knowledge constantly streaming to them about conditions. Mix in emergent behavior that is inevitable in complex systems, and something becomes self-aware and starts killing off the humans.
Ergo – you get a hive mind – lots of semi-autonomous
Smart machines can help predict vulnerabilities, via previously uncorrelated information and help drive decision making on security investments.
Machine learning systems (aka artificial intelligence in practice) can be used to detect patterns and adjust strategies while monitoring effectiveness. The machine learns what it needs to to understand the data and interact with the systems in order to improve the outcomes detected in the data. IPS and IDS systems, in a very small defined slice of data: try to find security breach patterns and respond to them. Some patterns are defined and some are learned by the machine along the way. Tweaks something in the environment and tries to figure out if it worked. EX: spam filter – judges its effectiveness by how many complaints it gets and changes something about the environment– discovery. Hook up to another spam service, allow it to figure out what weighting to give to certain spam detection services and
Give more centralized control to the machine learning. The Amish mafia botnet operates betw 11pm and 1am and if machine learning detects that it may be able to make a response to transitioning situations. If you’re a botnet owner, and you know that they use certain spam services, you could flood an email server – and build mechanisms to control the tweaks.
Machine learning are those things that help it discover. Giving the learning machine the capability to take action and determine whether or not the actions worked instead of just having the machine just automatically respond in known ways. Here are the things you can have control of. Figure it out. Actions well defined ahead of time rather than just giving the machine learning the control.
BI pattern algorithms can be used to detect patterns between seemingly uncorrelated events such as an increase in probing attacks such as after a layoff or before an IPO. Is there a correlation between layoffs and attacks? What’s the sentiment about the company? The human response is to put a body guard on the CEO – but what’s the system response? The threats are more random.
Statistically analysis can be used to assess the likelihood of damaging intrusions based on the business profile allowing for the appropriate amount of effort being spent based on outcomes.
Advanced pattern and fuzzy data set analysis techniques can be applied to see truly what leads a business to be targeted.
Powerful cutting edge set analysis tools such as the latest in quantum computing by DWAVE could be used to do research on the valuable correlations between the business profile, vulnerability types, value and cost of a security strategy.
Build a holistic security profile
There are many types of “assets” that should be a part of the total enterprise security picture. Many of which are not traditionally used in formal analysis.
You have a rich set of data and here are examples of things that might come out of your data. How do you get value out of that data? You start to aggregate all of the data, and start analyze (seeing trends, tracking effectiveness of investments, actual incidents vs. predicted incidents, why is this different from 10 years ago?
The tools and techniques of big data make it feasible to run modern analytics to glean the value from the data. Could be new insights, eg., the relationship between raises, salaries and turnover rates. Trying to get predictive analysis from correlations not known ahead of time, monitor the current state of anything possibly connected to those original sets of data, and determine whether any of it had any value. So now you can put an ROI on prevention measures. It has to be measurable. if you don’t have the data to determine how things are now different, how could you possibly have had the data to determine what to do to make things different?
Automated = IDS and IPS (see below) – these include blah blah blah, but does not tell you what your risks really are (the holes in your fortress) – the captain of the guards is making sure the guards are doing their job – the more sophisticated ones are checking IDs: very tactical – but what are the risks based on the attributes of that fort and what goes on in the fort that affects their overall risk profile, including what types of attacks they might expect; in comparison to other facilities that are not necessarily forts.
You need to build a comparison to a non-fort facility b/c otherwise
Hackers have a flavor of the week – and are focused on one type of business profiles – not necessarily attacking all places all of the time. If a business steps up security, often hackers move on and your risk changes.
Whole and part – If you ask ADP about security and you’re a bank
Whole and part – you employ high school grads to do manual labor and you pay below the mean for that labor category for a fortress. What’s the likelihood they will be the source of an attack? Attack from the inside (#1 source of attacks.) is employee profile info enough info to have a comparison to other employee profiles of other types of businesses to generate data on your risk exposure for them? Gives you an idea about how much $$ to spend on security measures to take on people in that role. Eg., facial recognition vs id card or more sophisticated.
You could spend infinite $$ on security, but the $$ available is always finite so you need to decide where to spend the $$ and what are the risks that were the tradeoffs. How did the tradeoffs decrease the risk?
Proactive risk mitigation
Continuous monitoring of your risk profile – would come from such things as an employee retention rate – if you have high turnover and you don’t train people in compliance what’s your risk exposure to banks that have tougher regulations and their training is 3X as long.
, power outages, infrastructure reliability, governmental strife (unstable govt that has )
The more broadly you deploy the security measure, the
1. the comp to other orgs and facilities that are not forts –
Add to that: How can I compare myself to other businesses? Then when you look at the enemy’s thinking, you have a better idea of how you fall as a target.
Vulnerability Bulletin Assessment
How it Protects:
By characterizing identified vulnerabilities (from IPS and other threat assessment techniques) a company can create correlations with its own security profile and attacks of unknown methodologies, enabling it to predict with accuracy the characteristics of a potential future attack – and take measured actions to protect and/or prevent.
Bookseller vs. Tuna
So much info, how can you get value out of it – in particular value and risks about actual or potential security events.
Based on the type of company, type of business, type of employees and the assets owned what is the appropriate strategy and tactics needed to reduce the threat level to an acceptable amount?
How can the effectiveness of strategy and tactics be measured?
How can compliance with the strategy and tactics be monitored?
How can the characteristics not directly related to infrastructure operations be monitored for impact to a company’s acceptable threat level?
How can the characteristics not directly related to infrastructure operations be monitored for impact to a company’s actual threat level?
How can lessons from the past be leveraged in other companies and new situations?
7. Attack Event and Circumstance Characteristics
How it Protects:
|Storing all information – that traditionally has not been captured for post-mortem and predictive analysis – at the time of, during, and after attacks using “Big Data” techniques (store everything for later use) can provide new security insights.To make use of the information it must be characterized for analysis through a taxonomy and Master Data Management (MDM).This information can include: logs at the time of attack; personal activity at the time of attack; transactional activity; all non-IT activity; detailed company profile; detailed employee profiles; current, recent and near future corporate events.
What You Need to Know:
|Monitoring sentiment (internal, external, hacker community) can provide very effective predictive analysis. Hackers, such as those who make up “Anonymous,” have a tendency to brag before, during and after an attack using public but less popular social media sites, especially blogs. Honeypots (traps) created to collect and monitor sentiment information have been very successful in luring hackers.
8. Vulnerability Bulletin Assessment
How it Protects:
|By characterizing identified vulnerabilities (from IPS and other threat assessment techniques) a company can create correlations with its own security profile and attacks of unknown methodologies, enabling it to predict with accuracy the characteristics of a potential future attack – and take measured actions to protect and/or prevent.
What You Need to Know: